01eb60eaf8
Use AADInternals for AAD federation attack
...
Azure AD has two kinds of federated domains. The one that can be used to authenticate on AAD, as an AAD user, and the one that can be used to authenticate as a guest user (also called external identity).
The current implementation of the attack seems to work but actually it uses the cmdlets to create a federated domain for external identities which is not the thing we want to showcase this ATT&CK technique. Since such a federated domain does not allow to authenticate as an AAD user.
Sorry for missing this when I supervised the initial work on this ART test.
Newest method uses AADInternals which is a popular attack framework for AAD and which offers exactly the cmdlet we need.
2022-11-15 17:35:31 +01:00
9175d8dc59
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-15 16:01:55 +00:00
a0c3f39325
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-15 16:01:47 +00:00
0440c69f3b
T1567.002.yaml creation with new rclone to Mega exfil test ( #2228 )
...
* Create T1567.002.yaml
* Add files via upload
* Delete T1567.002.yaml
* Update T1567.002.yml
* Update T1567.002.yml
* Update T1567.002.yml
* Create T1567.002.yaml
* Delete T1567.002.yml
* Update T1567.002.yaml
* Update T1567.002.yaml
* update display name
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2022-11-15 11:01:20 -05:00
6024dac957
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-15 15:56:55 +00:00
cecca22f67
HiveNightmare simplifications ( #2230 )
...
* HiveNightmare simplifications
* Update T1003.002.yaml
* Update T1003.002.yaml
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com >
2022-11-15 08:56:24 -07:00
feca620bc4
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-15 15:48:37 +00:00
291ff6f4c6
updating T1021.006-2 ( #2229 )
2022-11-15 10:47:54 -05:00
fb7b147eac
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-10 17:01:07 +00:00
ebe511a738
small title correction ( #2226 )
2022-11-10 12:00:37 -05:00
2a798d98d1
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-10 16:59:20 +00:00
956a699a65
expand description ( #2227 )
...
* expand description
* add cve number and link
2022-11-10 11:58:47 -05:00
6d0287a984
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-09 16:35:35 +00:00
0342b04584
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-09 16:35:29 +00:00
c9ccfd64a3
Merge pull request #2220 from packetzero/am_t1547007_reopen_coded
...
Add two MacOS T1547.007 loginwindow reopen tests
2022-11-09 11:35:01 -05:00
5e0b77ff35
Merge branch 'master' into am_t1547007_reopen_coded
2022-11-09 11:34:18 -05:00
b567130807
Merge branch 'master' into am_t1547007_reopen_coded
2022-11-09 11:34:11 -05:00
c72cc5c3aa
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-09 16:34:10 +00:00
1f1800a730
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-09 16:34:04 +00:00
3fec85b734
Merge branch 'master' into am_t1547007_reopen_coded
2022-11-09 11:33:52 -05:00
5cdfa5a9a6
Merge pull request #2217 from packetzero/am_t1547006_kextload
...
Add T1547.006 kernel module load and unload tests for MacOS
2022-11-09 11:33:40 -05:00
89aa57c332
Merge branch 'master' into am_t1547006_kextload
2022-11-09 11:33:03 -05:00
2b62e8a3c0
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-09 16:29:21 +00:00
9f65cb32e3
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-09 16:29:15 +00:00
352136941c
Merge pull request #2212 from packetzero/am_t1040_macos_pcap
...
Add two T1040 packet capture tests for macos using /dev/bpf
2022-11-09 11:28:43 -05:00
db1b815881
Merge branch 'master' into am_t1040_macos_pcap
2022-11-09 11:27:07 -05:00
c55f3ecce0
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-07 21:25:36 +00:00
ee954d215c
mv 2 1547 tests to 1546 ( #2223 )
2022-11-07 14:25:09 -07:00
55d2311eeb
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-07 21:21:50 +00:00
09ad06700a
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-07 21:21:43 +00:00
83ca10639b
Update T1003 ( #2225 )
...
* Added AppCmd list command
AppCmd list command can be used to retrieve IIS service account credentials.
* Update - Test name update and a new test
Updated the test name of 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
Added a new test to simulate /config command for AppCmd
2022-11-07 14:21:05 -07:00
17b4c931b6
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-07 14:39:00 +00:00
c03fb24928
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-07 14:38:54 +00:00
ae01b90e1f
Added AppCmd list command ( #2224 )
...
AppCmd list command can be used to retrieve IIS service account credentials.
2022-11-07 07:38:16 -07:00
576d92a4dc
fix prerequisite check for compile step
2022-11-04 16:46:04 -05:00
3c28d6cb5d
make Invoke happy with prereq check, remove comments in executor script
2022-11-04 16:41:57 -05:00
7678b665a0
Merge branch 'master' into am_t1547007_reopen_coded
2022-11-04 16:35:56 -04:00
11d4b8086d
Merge branch 'master' into am_t1040_macos_pcap
2022-11-04 16:06:31 -04:00
dc947ea3ae
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-04 19:38:42 +00:00
b4ce61ac45
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-04 19:38:35 +00:00
d5b7ecb116
Merge pull request #2211 from packetzero/am_t1547_015_loginitem
...
Add macOS T1547.015 add/remove LoginItem via AppleScript
2022-11-04 15:38:08 -04:00
aaca4c60e6
Merge branch 'master' into am_t1547_015_loginitem
2022-11-04 15:37:22 -04:00
721e184423
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-04 17:04:14 +00:00
3a0d280883
Merge pull request #2195 from jmac774/patch-2
...
Fix T1546.004 for remote execution on Linux
2022-11-04 13:03:41 -04:00
4921b5f679
Merge branch 'master' into patch-2
2022-11-04 13:00:59 -04:00
f1fe367fc7
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-03 20:06:21 +00:00
422ab1751f
Generate GUIDs from job=generate-docs branch=master [skip ci]
2022-11-03 20:06:15 +00:00
96b45ecbbf
Added missing test for T1547.014 Active Setup, 3 tests created ( #2219 )
...
* Added missing test for T1547.014 Active Setup, 3 tests created
Committer: Thomas De Brelaz <thockoro@hotmail.com >
* some format changes and simplications
* Update T1547.014.yaml
Co-authored-by: Thomas De Brelaz <thomas.de-brelaz@ubisoft.com >
Co-authored-by: Carrie Roberts <clr2of8@gmail.com >
2022-11-03 15:05:44 -05:00
5f084fc1e1
Generated docs from job=generate-docs branch=master [ci skip]
2022-11-03 18:45:42 +00:00
ae1493e46e
Update T1560.001.yaml ( #2221 )
...
The name for "Compress Data and lock with password for Exfiltration with winzip" of T1560.001.yaml
Invoke-WebRequestVerifyHash function has not import
2022-11-03 13:45:03 -05:00
Clément Notin